b'                                                                             Report No. DODIG-2014-089\n\n\n\n\n              I nspec tor Ge ne ral\n                                                U.S. Department of Defense\n\n              JUNE 30, 2014\n\n\n\n\n                     Implementation of 2011 Generally\n                     Accepted Government Auditing\n                     Standards Independence Standards\n                     at the DoD Audit Organizations\n\n\n\n\nI N T E G R I T Y \xef\x82\xab E F F I C I E N C Y \xef\x82\xab A C C O U N TA B I L I T Y \xef\x82\xab E X C E L L E N C E\n\x0c         I N T E G R I T Y \xef\x82\xab E F F I C I E N C Y \xef\x82\xab A C C O U N TA B I L I T Y \xef\x82\xab E X C E L L E N C E\n\n\n\n\n                                            Mission\n      Our mission is to provide independent, relevant, and timely oversight\n      of the Department of Defense that supports the warfighter; promotes\n      accountability, integrity, and efficiency; advises the Secretary of\n                 Defense and Congress; and informs the public.\n\n\n\n                                              Vision\n      Our vision is to be a model oversight organization in the Federal\n      Government by leading change, speaking truth, and promoting\n      excellence\xe2\x80\x94a diverse organization, working together as one\n               professional team, recognized as leaders in our field.\n\n\n\n\n                                        Fraud, Waste, & Abuse\n\n                                        HOTLINE\n                                        Department of Defense\n                                        d o d i g. m i l / h o t l i n e\n\n\n\n\nFor more information about whistleblower protection, please see the inside back cover.\n\x0c                                       Results in Brief\n                                       Implementation of 2011 Generally Accepted\n                                       Government Auditing Standards Independence\n                                       Standards at the DoD Audit Organizations\n\n\nJune 30, 2014\n\nObjective                                             Recommendations\nWe conducted this review to determine                 We recommend that the specified DoD agencies or audit\nwhether     the  DoD    audit   organizations         organizations:\nimplemented the December 2011 generally\naccepted government auditing standards                   \xe2\x80\xa2\t establish internal policies or procedures implementing\n(GAGAS) independence standards and whether                  the December 2011 GAGAS independence standards,\nthe standards were being followed. We\n                                                         \xe2\x80\xa2\t create internal policies and procedures detailing how\nreviewed 16 of the 21 DoD audit organizations\n                                                            nonaudit service requests will be processed,\n(see Appendix A Scope and Methodology for\nour rationale).                                          \xe2\x80\xa2\t perform all the required independence analyses and\n                                                            document the results before accepting a nonaudit service,\n\nFindings                                                 \xe2\x80\xa2\t include policies and procedures for performing control\nOf the 16 DoD audit organizations reviewed,                 self-assessments and continuous auditing, and\n10 had fully implemented, 4 had partially\n                                                         \xe2\x80\xa2\t remove language from agency operational procedures that\nimplemented, and 2 had not implemented the\n                                                            appears to direct the functions of an internal review office.\n2011 GAGAS independence standards.\n\nIn     addition,  four   audit    organizations       Management Comments and\nperforming nonaudit services did not fully            Our Response\nassess and document potential impairments to\n                                                      Five of the seven respondents agreed with our\nindependence as required by GAGAS 3.34.\n                                                      recommendations. The Auditor General, Department of the\nGAGAS 3.34 requires the auditor to assess the\n                                                      Army agreed with the intent of our recommendation but only\nskill, knowledge, or experience of the audited\n                                                      partially addressed all the specifics of the recommendation,\nentity management\xe2\x80\x99s designated individual who\n                                                      and the Commander, Naval Supply Systems Command,\nwill oversee and accept responsibility for the\n                                                      responding for the Chief Executive Officer, Naval Exchange\nnonaudit service.\n                                                      Service Command, disagreed with two recommendations and\n                                                      did not adequately address one of the four recommendations.\nAlso,   some      auditors\xe2\x80\x99    statements  of\n                                                      We request these two agencies provide comments to this final\nindependence     were    either    missing or\n                                                      report. Please see the Recommendations Table on the back\nimproperly completed.        In addition, one\n                                                      of this page.\naudit organization failed to comply with the\nstandards when performing control self-\nassessments and continuous auditing.\n\n\n\nVisit us on the web at www.dodig.mil\n\n\n                                                                          DODIG-2014-089 (Project No. D2013-DAPOIA-0011.001) \xe2\x94\x82 i\n\x0c                   Recommendations Table\n                                                                        Recommendations       No Additional\n                                          Management                    Requiring Comment   Comments Required\n                    The Auditor General, Department of the Army         B.1\n                    Director, Defense Information Systems Agency                            A.2\n                    Director, National Geospatial-Intelligence Agency                       A.2\n                    Director, Missile Defense Agency                                        A.3, B.1\n                    Commander, United States Special Operations                             A.1\n                    Command\n                    Director and Chief Executive Officer, Army and                          A.3, B.1\n                    Air Force Exchange Service\n                    Chief Executive Officer, Naval Exchange Service     B.1, B.2, and B.3   A.1\n                    Command\n\n                   Provide management comments by July 30, 2014.\n\n\n\n\nii \xe2\x94\x82 DODIG-2014-089 (Project No. D2013-DAPOIA-0011.001)\n\x0c                               INSPECTOR GENERAL\n                              DEPARTMENT OF DEFENSE\n                              4800 MARK CENTER DRIVE\n                           ALEXANDRIA, VIRGINIA 22350-1500\n\n\n                                                                             June 30, 2014\n\nMEMORANDUM FOR COMMANDER, UNITED STATES SPECIAL OPERATIONS COMMAND\n\t\t             DIRECTOR, DEFENSE INFORMATION SYSTEMS AGENCY\n\t\t             DIRECTOR, MISSILE DEFENSE AGENCY\n\t\t             DIRECTOR, NATIONAL GEOSPATIAL-INTELLIGENCE AGENCY\n\t\t             AUDITOR GENERAL, DEPARTMENT OF THE ARMY\n\t\t             DIRECTOR AND CHIEF EXECUTIVE OFFICER, ARMY AND AIR FORCE\n\t\t\t             EXCHANGE SERVICE\n\t\t             CHIEF EXECUTIVE OFFICER, NAVAL EXCHANGE SERVICE COMMAND\n\nSUBJECT: Implementation of the 2011 Generally Accepted Government Auditing\n\t        Standards Independence Standards at the DoD Audit Organizations\n\t        (Report No. DODIG-2014-089)\n\nWe are providing this report for your review and comment. Five of the seven respondents\nfully concurred with their specific recommendation(s). However, the Auditor General,\nDepartment of the Army concurred with the intent of our recommendation but only\npartially addressed all the specifics of the recommendation, and the Commander, Naval\nSupply Systems Command, responding in place of the Chief Executive Officer, Naval\nExchange Service Command, nonconcurred with two and did not adequately address\none of the four recommendations.\n\nWe considered management comments on a draft of this report when preparing the\nfinal report. DoD Directive 7650.3 requires that recommendations be resolved promptly.\nComments from the Directors, Defense Information Systems Agency, National Geospatial-\nIntelligence Agency, and Missile Defense Agency, the Commander, United States Special\nOperations Command, and the Director and Chief Executive Officer, Army and Air Force\nExchange Service were responsive, and we do not require additional comments. The Auditor\nGeneral, Department of the Army also provided comments that were partially responsive\non Recommendation B.1. The Commander, Naval Supply Systems Command also provided\ncomments to Recommendations A.1, B.1, B.2, and B.3. Comments to Recommendation A.1\nwere responsive, and we do not require additional comments. However, comments to\nRecommendations B.1, B.2, and B.3 did not adequately address the recommendations.\nTherefore, we request additional comments on Recommendation B.1 (Auditor General,\nDepartment of the Army) and Recommendations B.1, B.2, and B.3 (Commander, Naval\nSupply Systems Command) by July 30, 2014.\n\nPlease provide comments that conform to the requirements of DoD Directive 7650.3.\nPlease send a PDF file containing your comments to the email address cited in the\nlast paragraph on this memorandum.              Copies of your comments must have the\nactual signature of the authorizing official for your organization. We cannot accept\nthe /Signed/ symbol in place of the actual signature.\n\n\n\n                                                                                     DODIG-2014-089 \xe2\x94\x82 iii\n\x0c                  We appreciate the courtesies extended to the staff. Please direct questions to\n                  Carolyn R. Davis at (703) 604-8877 (DSN 664-8877), carolyn.davis@dodig.mil.\n\n\n\n\n                  \t                                            Randolph R. Stone\n                  \t                                            Deputy Inspector General\n                  \t                                            Policy and Oversight\n                  cc:\n                  Director, Defense Commissary Agency\n                  Director, Defense Contract Management Agency\n                  Director, Defense Finance and Accounting Service\n                  Director, Defense Intelligence Agency\n                  Director, Defense Logistics Agency\n                  Director, National Reconnaissance Office\n                  Director, National Security Agency\n                  Deputy Inspector General for Audit, DoD Office of Inspector General\n                  Auditor General, Naval Audit Service\n                  Auditor General, Air Force Audit Agency\n                  Assistant Deputy Commandant for Programs and Resources, and Fiscal Director,\n                    United States Marine Corps\n\n\n\n\niv \xe2\x94\x82 DODIG-2014-089\n\x0cContents\nIntroduction\nObjectives_________________________________________________________________________________________1\nBackground ______________________________________________________________________________________1\n\nFinding A. DoD Audit Organizations\xe2\x80\x99 Internal\nPolicies for Implementing the 2011 GAGAS\nIndependence Standards_______________________________________________________2\nGAGAS Independence Standards _______________________________________________________________2\nQuality of the Independence Policies___________________________________________________________4\nRecommendations, Management Comments, and Our Response____________________________4\n\nFinding B. DoD Audit Organizations\xe2\x80\x99 Adherence to the\n2011 GAGAS Independence Standards_______________________________8\nGAGAS-Required Analysis and Documentation for Nonaudit Services ______________________8\nMissing or Improperly Completed Auditor Statements of Independence___________________9\nNaval Exchange Service Command Internal Audit\xe2\x80\x99s Application\n   of the GAGAS Conceptual Framework____________________________________________________ 10\nRecommendations, Management Comments, and Our Response__________________________ 12\n\nAppendixes\nAppendix A. Scope and Methodology________________________________________________________ 17\nAppendix B. GAGAS Conceptual Framework for Independence___________________________ 19\nAppendix C. DoD Audit Organizations\xe2\x80\x99 Policies on Independence_________________________ 20\nAppendix D. Best Practice for Formatting Auditor Statement of Independence__________ 22\n\nManagement Comments\nThe Auditor General, Department of the Army Comments_________________________________ 23\nDirector, Defense Information Systems Agency Comments_________________________________ 25\nDirector, National Geospatial-Intelligence Agency Comments_____________________________ 27\nDirector, Missile Defense Agency Comments________________________________________________ 35\nCommander, United States Special Operations Command Comments_____________________ 37\nDirector and Chief Executive Officer, Army and Air Force\n    Exchange Service Comments_____________________________________________________________ 38\nCommander, Naval Supply Systems Command Comments_________________________________ 39\n\nAcronyms and Abbreviations______________________________________________ 43\n                                                                                                       DODIG-2014-089 \xe2\x94\x82 v\n\x0c\x0c                                                                                                                                   Introduction\n\n\n\n\nIntroduction\nObjectives\nWe conducted this review to determine whether the DoD audit organizations\nimplemented             the      December          2011        generally        accepted        government            auditing\nstandards (GAGAS) independence standards and whether the standards were being\nfollowed. See Appendix\xc2\xa0A for our scope and methodology.\n\n\nBackground\nGenerally Accepted Government Auditing Standards\nThe Government Accountability Office (GAO) revised GAGAS in December 2011.1\nThe most significant area that changed was the independence standards (to\ninclude nonaudit services). GAO created a new GAGAS Conceptual Framework for\nIndependence (see Appendix B for the framework) to provide a means for auditors\nto assess their independence for activities that are not expressly prohibited in\nthe standards.              This more principles-based approach to analyzing independence\nprovides the framework for auditors to assess the unique facts and circumstances\nthat arise during their work that could impair independence. This new framework\ncovers auditor, organizational, and audit (to include nonaudit services) independence.\n\nIn addition, a new requirement was added to nonaudit services: to assess and evaluate\nthe audited entity management\xe2\x80\x99s ability and willingness to oversee the nonaudit\nservice and for management to designate an individual who possesses suitable skill,\nknowledge, or experience, and that the individual understands the service to be\nperformed sufficiently to oversee it.\n\n\n\n\n\t1\t\n      The 2011 revision of generally accepted government auditing standards is effective for financial audits and attestation\n      engagements for periods ending on or after December 15, 2012, and for performance audits beginning on or after\n      December 15, 2011. Early implementation was not permitted.\n\n\n\n\n                                                                                                                                DODIG-2014-089 \xe2\x94\x82 1\n\x0cFinding A\n\n\n\n\n                 Finding A\n                 DoD Audit Organizations\xe2\x80\x99 Internal Policies for\n                 Implementing the 2011 GAGAS Independence\n                 Standards\n                 Of the 16 DoD audit organizations reviewed, 10 had fully implemented, 4 had\n                 partially implemented, and 2 had not implemented the 2011 GAGAS independence\n                 standards.     As a result, potential organizational impairments to independence\n                 existed for the six audit organizations that had not fully implemented the new\n                 independence standards.\n\n\n\n\n                 GAGAS Independence Standards\n                 The GAO December 2011 GAGAS revision requires audit organizations to establish\n                 policies and procedures on independence. GAGAS 3.88 states:\n\n                              Audit organizations should establish policies and procedures on\n                              independence, legal, and ethical requirements that are designed to\n                              provide reasonable assurance that the audit organization and its\n                              personnel maintain independence and comply with applicable legal\n                              and ethical requirements. Such policies and procedures assist the audit\n                              organization to: (a) communicate its independence requirements to\n                              its staff, and (b) identify and evaluate circumstances and relationships\n                              that create threats to independence, and take appropriate action\n                              to eliminate those threats or reduce them to an acceptable level by\n                              applying safeguards, or, if consider appropriate, withdraw from the\n                              audit where withdrawal is not prohibited by law or regulation.\n\n                 The December 2011 GAGAS revision included a new conceptual framework for\n                 independence. GAGAS 3.08 states that this framework should be used by all auditors\n                 to assess their independence in three areas for any project undertaken:                 auditor,\n                 organizational, and audit (to include nonaudit services).\n\n                          \xe2\x80\xa2\t Auditor:     An individual auditor needs to evaluate whether there are\n                              threats to his/her independence. GAGAS 3.22 states:\n\n                                 Auditors should determine whether identified threats to\n                                 independence are at an acceptable level or have been eliminated\n                                 or reduced to an acceptable level. A threat to independence is\n                                 not acceptable if it either (a) could impact the auditor\xe2\x80\x99s ability to\n                                 perform an audit without being affected by influences that\n\n\n\n\n2 \xe2\x94\x82 DODIG-2014-089\n\x0c                                                                                     Finding A\n\n\n\n     compromise professional judgment or (b) could expose the\n     auditor or audit organization to circumstances that would cause a\n     reasonable and informed third party to conclude that the integrity,\n     objectivity, or professional skepticism of the audit organization,\n     or a member of the audit team, had been compromised.\n\n\xe2\x80\xa2\t Organizational: An audit organization needs to be free of impairments\n  to independence, both externally and internally. DoD audit organizations\n  generally fall under the category of an internal audit organization.\n\n  GAGAS 3.31 states:\n\n     . . . internal auditors who work under the direction of the\n     audited entity\xe2\x80\x99s management are considered independent for\n     the purposes of reporting internally if the head of the audit\n     organization meets all the following criteria: (a) is accountable\n     to the head or deputy head of the entity or those charged with\n     governance; (b) reports the audit results both to the head or\n     deputy head of the government entity and to those charged with\n     governance; (c) is located organizationally outside the staff or line-\n     management function of the unit under audit; (d) has access to\n     those charged with governance; and (e) is sufficiently removed\n     from political pressures to conduct audits and report findings,\n     opinions, and conclusions without fear of political reprisal.\n\n\n\xe2\x80\xa2\t Audit (to include nonaudit services):        All work performed at the audit\n  level must be free of impairments to independence. One of the biggest\n  threats to independence for an audit organization is the performance\n  of a nonaudit service.      The 2011 GAGAS revision contains a significant\n  amount of guidance for evaluating threats to an audit organization\xe2\x80\x99s\n  independence; this must be done before agreeing to perform a nonaudit\n  service. Two key provisions in determining whether to accept a nonaudit\n  service are stated in GAGAS\xc2\xa0 3.34 and 3.35.            GAGAS 3.34 requires the\n  auditor to assess the audited entity management\xe2\x80\x99s ability to oversee\n  the nonaudit service and to determine whether the management\xe2\x80\x99s\n  designated individual possesses suitable skill, knowledge, or experience.\n  GAGAS 3.35 states:\n\n     If an auditor were to assume management responsibilities for\n     an audited entity, the management participation threats created\n     would be so significant that no safeguards could reduce them to\n     an acceptable level. Management responsibilities involve leading\n     and directing an entity, including making decisions regarding the\n     acquisition, deployment and control of human, financial, physical,\n     and intangible resources.\n\n\n\n                                                                               DODIG-2014-089 \xe2\x94\x82 3\n\x0cFinding A\n\n\n\n                 Quality of the Independence Policies\n                 Most of the DoD audit organizations implemented internal policies on or after\n                 the December 2011 issuance of GAGAS to guide their organizations with the new\n                 independence standards (to include nonaudit services).        See Appendix C for a\n                 detailed summary of our review.\n\n                 The quality of the internal policies ranged from just a reference to the new standards\n                 to comprehensive internal guidance. Internal policies that just referenced the new\n                 standard generally stated that the independence standards were revised and referred\n                 to the December 2011 version of GAGAS. The comprehensive policies outlined specific\n                 procedures to follow to assess and document auditor, organizational, and audit\n                 (to include nonaudit services) independence. For example, some policies contained\n                 requirements for both annual and project-specific auditor independence statements.\n                 In addition, some policies showed that the audit organization reported to the head\n                 of the agency, and other policies contained detailed instructions on how to process\n                 a request for a nonaudit service.\n\n                 Every DoD audit organization is unique in size, mission, and complexity. As such,\n                 a one\xe2\x80\x91size-fits-all policy for independence is not appropriate. However, each\n                 organization must ensure that their internal policies adhere to the standards\n                 promulgated in GAGAS. Our recommendations are directed to DoD audit organizations\n                 that either did not create internal policies implementing the December 2011\n                 revision of the GAGAS independence standards or only partially created new policies\n                 (for example, performed nonaudit services but had no internal policy on receiving and\n                 documenting the request for the service and assessing any threat to independence).\n\n\n                 Recommendations, Management Comments, and\n                 Our Response\n                 Recommendation A.1\n                 We recommend that the Commander, United States Special Operations\n                 Command, and the Chief Executive Officer, Navy Exchange Service Command,\n                 ensure their audit organizations create internal policies implementing\n                 the December 2011 generally accepted government auditing standards\n                 independence standards.\n\n\n\n\n4 \xe2\x94\x82 DODIG-2014-089\n\x0c                                                                                            Finding A\n\n\n\nCommander, United States Special Operations Command Comments\nThe Commander, United States Special Operations Command, agreed and stated its\nAudit Division of the Office of Inspector General updated its independence policies\non April 17, 2013, and included this policy in its updated Standard Operating\nProcedure dated June 27, 2013.\n\n\nOur Response\nComments from the Commander, United States Special Operations Command\naddressed all specifics of the recommendation. No additional comments are required.\n\n\nCommander, Naval Supply Systems Command Comments\nThe Commander, Naval Supply Systems Command, responding for the Chief\nExecutive Officer, Naval Exchange Service Command, agreed with the intent of the\nrecommendation.     The Commander stated that NEXCOM\xe2\x80\x99s internal policies and\nprocedures will be reviewed annually to ensure they reference the current version\nof the generally accepted government auditing standards (Yellow Book). He further\nstated that NEXCOM\xe2\x80\x99s Office of Internal Audit (OIA) procedural manual is general\nin nature by design and that the NEXCOM OIA recognizes the Yellow Book as\nthe overarching guidance.\n\n\nOur Response\nComments from the Commander, Naval Supply Systems Command, addressed the\nintent of the recommendation. No additional comments are required from NEXCOM.\n\n\nRecommendation A.2\nWe recommend that the Directors, Defense Information Systems Agency, and\nNational Geospatial-Intelligence Agency, ensure their audit organizations fully\nimplement the December 2011 generally accepted government auditing\nstandards independence standards.\n\n\nDirectors, Defense Information Systems Agency, and National\nGeospatial-Intelligence Agency Comments\nThe Directors, Defense Information Systems Agency, and National Geospatial-\nIntelligence Agency agreed with the recommendation.         Both agencies provided\n\n\n\n\n                                                                                      DODIG-2014-089 \xe2\x94\x82 5\n\x0cFinding A\n\n\n\n                 updated internal audit policies dated January 2014 and March 21, 2014,\n                 respectively, fully implementing the December 2011 generally accepted government\n                 auditing standards independence standards.\n\n\n                 Our Response\n                 Comments from the Directors, Defense Information Systems Agency, and National\n                 Geospatial-Intelligence Agency addressed all specifics of the recommendation.   No\n                 additional comments are required.\n\n\n                 Recommendation A.3\n                 We recommend that the Director, Missile Defense Agency, and the Director\n                 and Chief Executive Officer, Army and Air Force Exchange Service, ensure that\n                 their audit organizations create internal policies and procedures detailing\n                 how nonaudit service requests will be assessed and documented for potential\n                 impairments to independence.\n\n\n                 Director, Missile Defense Agency Comments\n                 The Director, Missile Defense Agency, agreed with the recommendation.      MDA is\n                 updating their internal audit policies and procedures for assessing and documenting\n                 potential impairments to independence for nonaudit services. The estimated\n                 completion date is the fourth quarter of FY 2014.\n\n\n                 Our Response\n                 Comments from the Director, Missile Defense Agency, addressed all specifics of the\n                 recommendation.     We request that the Director, Missile Defense Agency, provide\n                 a copy of the updated policies and procedures upon issuance.         No additional\n                 comments are required.\n\n\n                 Director and Chief Executive Officer, Army and Air Force Exchange\n                 Service Comments\n                 The Director and Chief Executive Officer, Army and Air Force Exchange Service,\n                 agreed with the recommendation. AAFES provided new internal audit policy\n                 dated December 31, 2013, which establishes procedures detailing how nonaudit\n                 service requests will be assessed and documented for potential impairments to\n                 independence.\n\n\n\n\n6 \xe2\x94\x82 DODIG-2014-089\n\x0c                                                                                     Finding A\n\n\n\nOur Response\nComments from the Director and Chief Executive Officer, Army and Air Force\nExchange Service, addressed all specifics of the recommendation.   No additional\ncomments are required.\n\n\n\n\n                                                                               DODIG-2014-089 \xe2\x94\x82 7\n\x0cFinding B\n\n\n\n\n                 Finding B\n                 DoD Audit Organizations\xe2\x80\x99 Adherence to the 2011\n                 GAGAS Independence Standards\n                 Of the five audit organizations that performed a nonaudit service, four did not fully\n                 assess and document potential independence impairments before agreeing to perform\n                 the service. Also, some auditors\xe2\x80\x99 statement of independence were either missing or\n                 improperly completed. In addition, one audit organization failed to comply with the\n                 standards when performing control self-assessments and continuous auditing. All of\n                 these conditions placed the audit organizations in a position of potentially impairing\n                 their independence.\n\n\n\n                 GAGAS-Required Analysis and Documentation for\n                 Nonaudit Services\n                 The December 2011 revision of the GAGAS independence standards provided more\n                 comprehensive guidance to auditors for assessing potential threats to independence\n                 when evaluating whether to provide a nonaudit service. One key area of assessment\n                 was determining the ability of management at the audited entity to oversee the\n                 nonaudit service.\n\n                 GAGAS 3.34 states:\n\n                                  Before an auditor agrees to provide a nonaudit service to an\n                                  audited entity, the auditor should determine whether providing\n                                  such a service would create a threat to independence, either by\n                                  itself or in aggregate with other nonaudit services provided, with\n                                  respect to any GAGAS audit it performs. A critical component of\n                                  this determination is consideration of management\xe2\x80\x99s2 ability to\n                                  effectively oversee the nonaudit service to be performed. The\n                                  auditor should determine that the audited entity has designated an\n                                  individual who possesses suitable skill, knowledge, or experience,\n                                  and that the individual understands the services to be performed\n                                  sufficiently to oversee them. The individual is not required to\n                                  possess the expertise to perform or reperform the services. The\n                                  auditor should document consideration of management\xe2\x80\x99s ability to\n                                  effectively oversee nonaudit services to be performed.\n\n\n                 \t2\t\n                       Management, as referred to in GAGAS 3.34, refers to the audited entity\xe2\x80\x99s management, not the DoD audit\n                       organization\xe2\x80\x99s management.\n\n\n\n\n8 \xe2\x94\x82 DODIG-2014-089\n\x0c                                                                                                                      Finding B\n\n\n\nAdditionally, GAGAS 3.59(c) states:\n\n                 [D]ocument consideration of audited entity management\xe2\x80\x99s ability\n                 to effectively oversee a nonaudit service to be provided by the auditor\n                 as indicated in [GAGAS] paragraph 3.34.\n\n\nThree of the five DoD audit organizations that were performing nonaudit\nservices and had nonaudit service projects that fell within the parameters of\nour review period had issued policy, created a memorandum of understanding\nor held meetings (or both), or documented what services were to be provided\nand who was responsible for the service being provided.                                       However, four3 of\nthe five organizations did not determine and document whether the audited\nentity\xe2\x80\x99s management designated an individual who possessed suitable skill,\nknowledge, or experience, and that the individual understood the services\nto       be       performed           sufficiently          to      oversee       them,      as    required   by\nGAGAS 3.34. Our review of the project files, to include the issued final memo or\nreport, did not disclose any impairment to independence because of this oversight.\n\nA best practice for consideration to meet the requirements of GAGAS 3.34\nwould be for the auditor to obtain the position description, a resume, or a\nbiography          for     the     designated         individual.        Then,    use     professional   judgment\nto determine if the information contained in these documents is adequate to\nmeet the intent of GAGAS 3.34, and document this analysis in the project file as\nrequired by GAGAS 3.59(c).\n\n\nMissing or Improperly Completed Auditor Statements\nof Independence\nFor most projects we reviewed, there were instances of missing or improperly\ncompleted auditor statements of independence.                                     The improperly completed\nstatements ranged from not being signed by the supervisor to a potential\nindependence impairment being listed but no documented evidence from the\nsupervisor stating how this potential impairment would be mitigated.\n\nAlthough GAGAS does not specifically require auditor statements of independence,\nit does require audit organizations to establish policies and procedures on\nindependence.              Some statement of independence forms created by the audit\norganizations referenced the GAGAS 2007 revision, some were in draft form and\n\n\t3\t\n      See Recommendation B.1 for a listing of the four DoD audit organizations.\n\n\n\n\n                                                                                                                DODIG-2014-089 \xe2\x94\x82 9\n\x0cFinding B\n\n\n\n                 referenced the GAGAS 2011 revision, and some were current, completely revised,\n                 and referenced the GAGAS 2011 revision.                                   However, because the concept of\n                 auditor independence has not changed from previous revisions, any statement of\n                 independence form declaring an auditor\xe2\x80\x99s independence and having supervisory\n                 review and concurrence would satisfy the intent of documenting auditor\n                 independence.             Therefore, our review determined whether an audit organization\n                 required statements of independence to be completed by their auditors, and\n                 if so, were they completed and filed. Because of the minor nature of the issues\n                 found, we did not make any recommendations in this report to any DoD audit\n                 organization concerning statements of independence. Appendix D contains suggested\n                 best practice for audit organizations to use in formatting auditor statements\n                 of independence.\n\n\n                 Naval Exchange Service Command Internal Audit\xe2\x80\x99s\n                 Application of the GAGAS Conceptual Framework\n                 We reviewed the Naval Exchange Service Command Internal Audit\xe2\x80\x99s (NEXCOM IA\xe2\x80\x99s)\n                 control self-assessment (CSA) activities and continuous auditing activities to\n                 determine whether those activities complied with the December 2011 GAGAS\n                 independence standards4.\n\n                 GAGAS 2.13 states:\n\n                                   When audit organizations provide nonaudit services to entities\n                                   for which they also provide GAGAS audits, they should assess\n                                   the impact that providing those nonaudit services may have on\n                                   auditor and audit organization independence and respond to\n                                   any identified threats to independence in accordance with the\n                                   GAGAS independence standard.\n\n\n                 GAGAS 3.03 (b) states:\n\n                                   Independence in Appearance\n\n                                   The absence of circumstances that would cause a reasonable\n                                   and informed third party, having knowledge of the relevant\n                                   information, to reasonably conclude that the integrity, objectivity,\n                                   or professional skepticism of an audit organization or member\n                                   of the audit team had been compromised.\n\n\n\n\n                 \t4\t\n                       We became aware in November 2012 during a DoD Small Audit Working Group Meeting that NEXCOM was performing\n                       control self-assessments and continuous auditing \xe2\x80\x93 activities not normally performed by most DoD audit organizations.\n                       Therefore, we decided to review these activities at NEXCOM as part of this project.\n\n10 \xe2\x94\x82 DODIG-2014-089\n\x0c                                                                                                                                Finding B\n\n\n\nGAGAS 3.20 states:\n\n                  Auditors should evaluate threats to independence using the\n                  [GAGAS] conceptual framework when the facts and circumstances\n                  under which the auditors perform their work may create or\n                  augment threats to independence. Auditors should evaluate threats\n                  both individually and in the aggregate because threats can have a\n                  cumulative effect on an auditor\xe2\x80\x99s independence.\n\n\nControl Self-Assessments\nCSA is a technique that allows managers and work teams directly involved in business\nunits, functions, or processes to participate in assessing the organization\xe2\x80\x99s risk\nmanagement and control processes. To better understand NEXCOM\xe2\x80\x99s CSA activities,\nwe observed NEXCOM Internal Audit\xe2\x80\x99s staff and the entity\xe2\x80\x99s management conducting\na CSA at a Navy Exchange store. We concluded that NEXCOM Internal Audit should\ninclude in their audit policies how they will safeguard and maintain their independence\nwhen performing CSA activities.\n\n\nContinuous Auditing Activities\nTo better understand NEXCOM IA\xe2\x80\x99s continuous auditing activities and their\nrole in the government purchase card program, we interviewed NEXCOM\nIA staff and a NEXCOM contracting office staff member and reviewed the\nNEXCOM            government          purchase         card       program       regulations        and     procedures.\nDuring our review, we were informed by NEXCOM IA that the continuous\nauditing         activities      they      conducted         in     the    NEXCOM         Government           Purchase\nCard program were a pilot program and their continuous auditing activities\nhad not been fully implemented.                          However, NEXCOM IA personnel stated that\nonce the continuous auditing activities are fully implemented, they will expand\nthem to other areas of NEXCOM and conduct continuous auditing activities as\nperformance audits.\n\nThe         NEXCOM          Corporate          Contracts          office    internal       operating        procedure5\nidentifies the responsibilities of the NEXCOM offices and authorized card-\nholders in the purchase card program, the allowed uses for the purchases card,\nthe internal controls over the purchase card program, and the internal and\nexternal reviews of the program.                      The internal operating procedure identifies the\nNEXCOM IA as the NEXCOM organization that will schedule and conduct a purchase\ncard desk audit or onsite review.\n\n\t 5\t\n        \xe2\x80\x9cThe Navy Non-Appropriated Fund Purchase Card Program - Internal Operating Procedure, Revision Date: 12/8/2009\n       (edited 10/2012).\xe2\x80\x9d\n\n                                                                                                                         DODIG-2014-089 \xe2\x94\x82 11\n\x0cFinding B\n\n\n\n                 During our review of the internal operating procedure, we noted that the\n                 procedure contained language directing the NEXCOM IA to perform transactional\n                 reviews, internal management control reviews, and reviews of other specific\n                 purchase elements.          The internal operating procedure also contained detailed\n                 guidance on how NEXCOM IA would perform these reviews.                        We consider this\n                 to be a potential independence impairment, as it appears the operational unit was\n                 directing NEXCOM\xe2\x80\x99s IA function.\n\n                 Further, we determined that the NEXCOM IA continuous auditing activities as\n                 considered under the pilot program were a nonaudit service. NEXCOM did not apply\n                 the 2011 GAGAS independence standards to their continuous auditing activities pilot\n                 program for the NEXCOM purchase card. The acceptability of, and GAGAS compliance\n                 over, the conduct of continuous auditing as a performance audit was not determined\n                 as part of this review. In addition, NEXCOM IA did not document its consideration of\n                 the audited entity management\xe2\x80\x99s ability to effectively oversee the nonaudit services it\n                 was performing, to include documenting the assigned individual\xe2\x80\x99s skill, knowledge,\n                 or experience.\n\n\n                 Recommendations, Management Comments, and\n                 Our Response\n                 Recommendation B.1\n                 We recommend that the Auditor General, Department of the Army; the Director,\n                 Missile Defense Agency; the Director and Chief Executive Officer, Army\n                 and Air Force Exchange Service; and the Chief Executive Officer, Navy\n                 Exchange Service Command, ensure their audit organizations perform all the\n                 required independence analyses and document the results before accepting a\n                 nonaudit service.\n\n\n                 Auditor General, Department of the Army Comments\n                 The Auditor General, Department of the Army, agreed with the intent of the\n                 recommendation as it relates to documenting the results of their independence\n                 analysis.        However, the Auditor General did not agree that his auditors\n                 were deficient in the independence analysis as required by GAGAS 3.34.\n                 The Auditor General stated that they considered the audited entity\xe2\x80\x99s management\n                 subject     matter   experts   and    as   such,    were    fully    aware    of   the    nonaudit\n                 service they requested and could determine if it met their requirements.\n                 Further,    as    subject    matter   experts,     they    also     had   sufficient     knowledge\n                 of the area and had the ability to either accept or reject the results.                       The\n\n\n12 \xe2\x94\x82 DODIG-2014-089\n\x0c                                                                                                       Finding B\n\n\n\nAuditor General also stated that before accepting the nonaudit service, they\nperformed a thorough and comprehensive evaluation to determine if the\nrequested nonaudit service would impair the agency\xe2\x80\x99s or the auditors\xe2\x80\x99 independence.\nThe evaluation included determining the client\xe2\x80\x99s understanding of the results\nand the services.        He further stated that the client was provided with a\nmemorandum of understanding describing the services agreed to and how the\nresults can and cannot be used.\n\n\nOur Response\nComments from the Auditor General, Department of the Army, did not address\nthe specifics of the recommendation.         GAGAS 3.34 requires the auditor to assess\nthe audited entity management\xe2\x80\x99s ability to oversee the nonaudit service and to\ndetermine whether the management\xe2\x80\x99s designated individual possesses suitable\nskill, knowledge, or experience.       We acknowledged that the Army Audit Agency\ncreated memoranda of understanding and performed other procedures when\nagreeing to perform a nonaudit service.              However, no evidence was provided\nshowing how the auditors evaluated and documented the skill, knowledge, or\nexperience of the designated management individual, as required by GAGAS 3.34.\nThe Auditor General\xe2\x80\x99s comments did not address GAGAS 3.34.                         Our report\nprovided a best practice for some types of documentation that would satisfy the\nGAGAS      requirement   of   determining      whether      the   management\xe2\x80\x99s      designated\nindividual possessed suitable skill, knowledge, or experience.                We request that\nthe Auditor General, Department of the Army, reconsider his position on the\nrecommendation and provide comments in response to the final report.\n\n\nDirector, Missile Defense Agency Comments\nThe Director, Missile Defense Agency, agreed with the recommendation.                        MDA\nis updating its internal audit policies and procedures to include guidance\nto   evaluate   and   document     the     skills,   knowledge,     or   experience     of    the\nmanagement-appointed individual overseeing the nonaudit service.                The estimated\ncompletion date is the fourth quarter of FY 2014.\n\n\nOur Response\nComments from the Director, Missile Defense Agency, addressed all specifics\nof   the   recommendation.        We     request     that   the   Director,   Missile   Defense\nAgency, provide a copy of the updated policies and procedures upon issuance.\nNo additional comments are required.\n\n\n\n\n                                                                                                DODIG-2014-089 \xe2\x94\x82 13\n\x0cFinding B\n\n\n\n                 Director and Chief Executive Officer, Army and Air Force Exchange Service\n                 Comments\n                 The Director and Chief Executive Officer, Army and Air Force Exchange Service,\n                 agreed with the recommendation.          AAFES provided new internal audit policy\n                 dated     December    31,   2013,   which     establishes     procedures     on   evaluating\n                 and documenting the skills, knowledge, or experience of the management-appointed\n                 individual overseeing the nonaudit service.\n\n\n                 Our Response\n                 Comments from the Director and Chief Executive Officer, Army and Air Force\n                 Exchange Service, addressed all specifics of the recommendation.              No additional\n                 comments are required.\n\n\n                 Commander, Naval Supply Systems Command Comments\n                 The Commander, Naval Supply Systems Command, responding for the Chief Executive\n                 Officer, Naval Exchange Service Command, agreed with the recommendation,\n                 stating that if and when NEXCOM OIA accepts to perform a nonaudit service,\n                 the     proper   documentation   will   be    prepared   in     accordance    with   GAGAS.\n                 The Commander also stated that the NEXCOM OIA uses control self-assessments\n                 and continuous auditing to facilitate traditional audits, and does not consider\n                 these processes to be nonaudit services.         Further, the Commander stated that\n                 GAGAS 3.40 specifies that routine activities performed by auditors that relate\n                 directly to the performance of an audit, such as providing advice and responding\n                 to questions as part of an audit, are not nonaudit services, according to GAGAS.\n                 Such routine activities generally involve providing advice or assistance to the\n                 entity on an informal basis as part of an audit.         Routine activities typically are\n                 insignificant in terms of time incurred or resources expended and generally do not\n                 result in a specific project or engagement or in the auditors producing a formal\n                 report or other formal work product.\n\n\n                 Our Response\n                 Comments from the Commander, Naval Supply Systems Command partially\n                 addressed the recommendation.       NEXCOM OIA stated its review of the NEXCOM\n                 government purchase card program, using ACL Services Ltd. ACL Audit Exchange\n                 software program, was a continuous audit.         However, based on our observation,\n                 the continuous audit program was not fully developed.            NEXCOM OIA stated that\n                 its continuous auditing program was still in a testing phase, and as such, lacked\n                 a formal process for reporting findings and recommendations and tracking\n                 management\xe2\x80\x99s actions on those recommendations.              During this pilot program, the\n\n14 \xe2\x94\x82 DODIG-2014-089\n\x0c                                                                                                   Finding B\n\n\n\nauditors were providing management, on a monthly, informal basis, all the\nanomalies they found when running this continuous auditing program on the\ngovernment purchase card transactional database, thereby creating the potential\nfor independence impairment.            NEXCOM OIA       stated that they were going to\nfully implement the ACL Audit Exchange software program to perform audits in\naccordance with GAGAS on this and other NEXCOM programs in the near future.\nBased on the above, we determined that the way NEXCOM OIA was performing\nthis continuous auditing pilot program was a nonaudit service, and therefore,\nNEXCOM OIA should have performed all the GAGAS-required independence\nanalyses and documented the results before performing this service to mitigate\nany potential independence impairments. Upon NEXCOM OIA\xe2\x80\x99s full implementation\nof its continuous auditing program, to include reporting on findings and\nrecommendations, and tracking management action on those recommendations,\nthe appearance of a potential independence impairment would no longer exist. We\nrequest the Commander, Naval Supply Systems Command, reconsider his position on\nthe recommendation and provide comments in response to the final report.\n\n\nRecommendation B.2\nWe recommend that the Chief Executive Officer, Naval Exchange Service\nCommand, ensure that his audit organization revise its internal audit\npolicies to include procedures for performing control self-assessments and\ncontinuous auditing.\n\n\nCommander, Naval Supply Systems Command Comments\nThe Commander, Naval Supply Systems Command, responding for the Chief\nExecutive     Officer,    Naval   Exchange    Service   Command,       disagreed   with   the\nrecommendation.          The   Commander     stated   that   control   self-assessments   and\ncontinuous auditing are not nonaudit services; and therefore, a revision to\nNEXCOM OIA\xe2\x80\x99s policies would be inaccurate.               He further stated that NEXCOM\nOIA\xe2\x80\x99s procedural manual would provide routine internal control advice to\nNEXCOM\xe2\x80\x99s management.\n\n\nOur Response\nComments from the Commander, Naval Supply Systems Command, did not\naddress the specifics of the recommendation.                 We recognize that performing\ncontrol     self-assessments      and   continuous    auditing   are   proactive   measures.\nHowever, since there are no GAGAS standards or International Standards for\nthe Professional Practice of Internal Auditing (Standards) specifically covering\n\n\n\n                                                                                            DODIG-2014-089 \xe2\x94\x82 15\n\x0cFinding B\n\n\n\n                 control self-assessments and continuous auditing, it would be incumbent upon\n                 NEXCOM OIA to document in its internal audit policies how it performs these\n                 processes.      We request the Commander, Naval Supply Systems Command,\n                 reconsider his position on the recommendation and provide comments in response\n                 to the final report.\n\n\n                 Recommendation B.3\n                 We recommend that the Chief Executive Officer, Navy Exchange Service\n                 Command, remove the language from \xe2\x80\x9cThe Navy Non-Appropriated Fund\n                 Purchase Card Program-Internal Operating Procedure, Revision Date: 12/8/2009\n                 (edited 10/2012)\xe2\x80\x9d that appears to direct the functions of the Office of\n                 Internal Audit.\n\n\n                 Commander, Naval Supply Systems Command Comments\n                 The Commander, Naval Supply Systems Command, responding for the Chief\n                 Executive    Officer,   Naval   Exchange   Service   Command,   disagreed   with   the\n                 recommendation.         The Commander stated that NEXCOM OIA\xe2\x80\x99s organizational\n                 independence is safeguarded by having NEXCOM OIA reporting directly to the\n                 Chief Executive Office, Navy Exchange Service Command.             He further stated\n                 that the language in the internal operating procedure manual was prepared by\n                 NEXCOM OIA, and this can be viewed as an additional safeguard for NEXCOM\n                 OIA\xe2\x80\x99s independence.       Additionally, the Commander stated that this language in\n                 the internal operating procedure manual is compliant with GAGAS.\n\n\n                 Our Response\n                 Comments from the Commander, Naval Supply Systems Command, did not address\n                 the specifics of the recommendation.       Having an internal audit organization write\n                 policy contained in the audited entity\xe2\x80\x99s management\xe2\x80\x99s operational procedural\n                 manual creates the potential for impairment to independence.            NEXCOM OIA\n                 is responsible for auditing all policies and programs of NEXCOM\xe2\x80\x99s operations and\n                 as such, should not write management policy it would potentially be auditing.\n                 Additionally, any policies protecting NEXCOM OIA\xe2\x80\x99S independence should be part\n                 of NEXCOM OIA\xe2\x80\x99s policies.          We request the Commander, Naval Supply Systems\n                 Command, reconsider his position on the recommendation and provide comments\n                 in response to the final report.\n\n\n\n\n16 \xe2\x94\x82 DODIG-2014-089\n\x0c                                                                                                                                   Appendixes\n\n\n\n\nAppendix A\nScope and Methodology\nWe reviewed the policies of 16 of the 21 DoD audit organizations to determine\nwhether they implemented the December 2011 GAGAS independence standards.\nFive audit organizations were not included in this review for the following reasons.\n\n              \xe2\x80\xa2\t The United States Army Internal Review is currently in the process of\n                  converting         their       personnel          back       to     GS-0511          auditors         from\n                  GS-0510 accountants, and therefore, requires time to reestablish itself\n                  as an audit organization.\n\n              \xe2\x80\xa2\t The National Guard Bureau Internal Review recently fell back under the\n                  oversight authority of the DoD Inspector General (IG) and is scheduled\n                  for a full review in the near future.\n\n              \xe2\x80\xa2\t The       Defense        Intelligence        Agency        (DIA),      National        Reconnaissance\n                  Office (NRO), and National Security Agency (NSA) were, or are being,\n                  covered as a part of the normal peer review process that the DoD IG\n                  administers, to include review of their policy and implementation relative\n                  to the 2011 GAGAS independence standard.6\n\nOf the 16 audit organizations we reviewed, we judgmentally selected projects from\n11 of the organizations. We did not select projects from five organizations for the\nfollowing reasons.\n\n              \xe2\x80\xa2\t The Defense Contract Audit Agency\xe2\x80\x99s policies and procedures are\n                  overseen by the DoD Deputy Inspector General, Policy and Oversight,\n                  Audit and Policy Oversight, Contract Audit Policy and Oversight division.\n\n              \xe2\x80\xa2\t The Defense Contract Management Agency received a pass rating from an\n                  external quality control review.\n\n              \xe2\x80\xa2\t The Defense Information System Agency and the Defense Logistics\n                  Agency will receive a full quality control review in the near future due to\n                  their failure in a recent external Quality Control Review.\n\n              \xe2\x80\xa2\t The National Geospatial-Intelligence Agency did not have any completed\n                  projects within the scope of our review.\n\n\t6\t\n      NSA\xe2\x80\x99s peer review report was issued on February 27, 2013; NRO is currently undergoing a peer review; and DIA is due a\n      peer review this fiscal year.\n\n\n\n\n                                                                                                                              DODIG-2014-089 \xe2\x94\x82 17\n\x0cAppendixes\n\n\n\n                 As part of our review, we:\n\n                          \xe2\x80\xa2\t obtained the current policies from the audit organizations;\n\n                          \xe2\x80\xa2\t obtained a listing of all performance projects, to include nonaudit\n                            services projects;\n\n                          \xe2\x80\xa2\t contacted the GAO; and\n\n                          \xe2\x80\xa2\t contacted other Federal Offices of Inspectors General to benchmark their\n                            implementation of the December 2011 Version of GAGAS.\n\n                                   \xc2\xb0\xc2\xb0 Department of Justice,\n\n                                   \xc2\xb0\xc2\xb0 Department of Housing and Urban Development,\n\n                                   \xc2\xb0\xc2\xb0 House of Representatives,\n\n                                   \xc2\xb0\xc2\xb0 National Aeronautics and Space Administration,\n\n                                   \xc2\xb0\xc2\xb0 National Science Foundation, and\n\n                                   \xc2\xb0\xc2\xb0 Legal Services Corporation.\n\n                 Our review covered the period December 15, 2011, through January 29, 2013. We\n                 performed this review from December 2012 through November 2013 in accordance\n                 with the standards published in the Council of the Inspectors General on Integrity and\n                 Efficiency, \xe2\x80\x9cQuality Standards for Inspection and Evaluation,\xe2\x80\x9d January 2012.\n\n\n                 Use of Computer-Processed Data\n                 We did not use computer-processed data to perform this audit.\n\n\n                 Prior Coverage\n                 During the last 5 years, no prior coverage has been conducted on implementation of\n                 the December 2011 GAGAS independence standards.\n\n\n\n\n18 \xe2\x94\x82 DODIG-2014-089\n\x0cAppendix II\n                                                                                                                 Appendixes\nGAGAS Conceptual    Framework\n             FOR OFFICIAL USE ONLY for                                                                            Appendixes\n\nIndependence\n Appendix B\n                                                                                                           Append\n                                                                                                                x\n                                                                                                                Ii\n\n\n\n\n   Appendix B\n GAGAS Conceptual Framework for Independence\n   GAGAS Conceptual Framework for Independence\n                                                         GAGAS Conceptual Framework\n               Assess condition or activity for               for Independence\n                 threats to independence\n\n                                                  No\n                     Threat identified?                 Proceed\n\n                                Yes\n                                                          Is the nonaudit service\n               Is threat related to a nonaudit    Yes    specifically prohibited in   Yes\n                           service?                     GAGAS paragraphs 3.36 or\n                                                            3.49 through 3.58?\n                                No\n                                                                       No\n\n               Assess threat for significance\n\n                                                  No\n                    Is threat significant?              Proceed\n\n                                Yes\n\n                     Identify and apply\n                       safeguard(s)\n\n\n\n                    Assess safeguard(s)\n                       effectiveness\n\n               Is threat eliminated or reduced No\n                    to an acceptable level?\n\n                                Yes\n\n               Document nature of threat and\n                  any safeguards applied\n\n\n\n                                                                                  Independence\n                            Proceed                                             impairment; do not\n                                                                                     proceed\n\n\n                                      Source: GAO.\n              Source: GAO\n\n\n\n                                      Page 215            GAO-12-331G Government Auditing Standards\n\n                              DRAFT REPORT              FOR OFFICIAL USE ONLY\n                                                                                        Project No. D2013-DAPOIA-0011.001 \xe2\x94\x82 13\n                                                                                                       DODIG-2014-089 \xe2\x94\x82 19\n\x0cAppendixes\n\n\n\n\n                 Appendix C\n                 DoD Audit Organizations\xe2\x80\x99 Policies on Independence\n                       DoD Audit Organizations\xe2\x80\x99 Policies on Independence (to include Nonaudit Services) Implementing Government\n                                                       Auditing Standards, December 2011 Revision\n\n                       DoD Audit                Auditor Independence                   Organizational Independence1                     Nonaudit Services\n                      Organization            GAGAS 3.08, 3.20, and 3.88                       GAGAS 3.31                            GAGAS 3.33-3.58, and 3.88\n\n                      AAA                                    YES                                        YES                                         YES\n                      AAFES                                  YES                                        YES                                         NO3\n                      AFAA                                   YES                                        YES                                         NO4\n                      Army IR2                               N/R                                        N/R                                         N/R\n                      DeCA                                   YES                                        YES                                         YES\n                      DCAA                                   YES                                        YES                                         YES\n                      DCMA                                   YES                                        YES                                         YES\n                      DFAS                                   YES                                        YES                                         YES\n                      DISA                                   NO5                                        YES                                         NO5\n                      DIA                                    N/R                                        N/R                                         N/R\n                      DLA                                    YES                                        YES                                         YES\n                      DOD IG                                 YES                                        YES                                         YES\n                      MCNAFAS                                YES                                        NO6                                         YES\n                      MDA                                    YES                                        YES                                         NO3\n                      NGA                                    NO5                                        YES                                         NO4\n                      NGB                                    N/R                                        N/R                                         N/R\n                      NRO                                    N/R                                        N/R                                         N/R\n                      NSA                                    N/R                                        N/R                                         N/R\n                      NAS                                    YES                                        YES                                         YES\n                      NEXCOM                                 NO7                                        YES                                         NO3\n                      USSOCOM                                NO8                                        YES                                         NO4\n\n                      1 \t\n                            Organizational Independence in this table refers to whether the audit organization reports to the head of the agency.\n                      2 \t\n                            In a June 14, 2013, memorandum, the Secretary of the Army directed all Army Internal Review personnel to convert back\n                            to GS-0511 series auditors.\n                      3 \t\n                            AAFES, MDA, and NEXCOM perform nonaudit services, but neither AAFES nor MDA had internal policies governing\n                            the performance of a nonaudit service, and NEXCOM did not have updated policies. MDA fills out a nonaudit services\n                            statement form to document who requested the service; that the service was not done in accordance with GAGAS; and\n                            that they used the GAGAS Conceptual Framework for Independence in determining whether to perform the requested\n                            nonaudit service. However, this form does not contain a section to document the new nonaudit services requirement in\n                            GAGAS 3.34 to evaluate and document the skill, knowledge, or experience of the management-appointed individual who\n                            would oversee the nonaudit service.\n\n\n\n\n20 \xe2\x94\x82 DODIG-2014-089\n\x0c                                                                                                                                  Appendixes\n\n\n\n4 \t\n      AFAA, NGA, and USSOCOM stated they do not perform nonaudit services.\n5 \t\n      DISA\xe2\x80\x99s current audit policies are dated March 2011, and NGA\xe2\x80\x99s are dated September 29, 2009. DISA and NGA are in the\n      process of updating their policies. However, DISA and NGA revised their statement of independence form to implement\n      the December 2011 GAGAS independence standard for auditor independence; and DISA developed a nonaudit services\n      checklist.\n6 \t\n      The Marine Corps Nonappropriated Fund Audit Service (MCNAFAS) does not report directly to the Commandant or\n      Assistant Commandant, United States Marine Corps. MCNAFAS is situated in the Deputy Commandant, Programs and\n      Resources (P&R) office and reports directly to the Assistant Deputy Commandant, P&R.\n7 \t\n      NEXCOM IA current audit policies are dated 1997 (and updated as needed, but not re-dated). Based on the policies\n      provided, we concluded that their audit policies were not updated to reflect the December 2011 GAGAS.\n8 \t\n      USSOCOM did not have internal audit policies implementing the December 2011 GAGAS independence standards.\n      However, during our review, they issued new internal audit policies on April 17, 2013, and these policies adequately\n      implement the December 2011 GAGAS independence standards.\n\nNR = Not Reviewed (see Appendix A Scope and Methodology for reasons).\n\n\n\n\n                                                                                                                             DODIG-2014-089 \xe2\x94\x82 21\n\x0cAppendixes\n\n\n\n\n                 Appendix D\n                 Best Practice for Formatting Auditor Statement of\n                 Independence\n                 After comparing 16 different auditor statements of independence from the DoD audit\n                 organizations we reviewed, we suggest that the following be included in an auditor\n                 statement of independence:\n\n                         \xe2\x80\xa2\t document title (for example, Annual Statement of Independence or\n                           Project-Specific Statement of Independence);\n\n                         \xe2\x80\xa2\t fields for name, title, and fiscal or calendar year (for annual statement of\n                           independence) and project title, project number, team member\xe2\x80\x99s name, and\n                           team member\xe2\x80\x99s title (for project specific statement of independence);\n\n                         \xe2\x80\xa2\t a paragraph referencing GAGAS and the audit organization\xe2\x80\x99s internal\n                           policies for independence;\n\n                         \xe2\x80\xa2\t fields for auditors to state they are independent or they have a potential\n                           impairment (and stating the potential impairment), and a place to sign and\n                           date; and\n\n                         \xe2\x80\xa2\t fields for the auditor\xe2\x80\x99s supervisor to concur with the auditor\xe2\x80\x99s stated\n                           independence or how a potential impairment is dealt with (for example,\n                           the auditor cannot audit in a certain area of the organization or the auditor\n                           has been reassigned to another audit) and a place to sign and date.\n\n\n\n\n22 \xe2\x94\x82 DODIG-2014-089\n\x0c                                                                                             Management Comments\n\n\n\n\nManagement Comments\nThe Auditor General, Department of the Army Comments\n\n\n\n                                    DEPARTMENT OF THE ARMY\n                                         U.S. ARMY AUDIT AGENCY\n                            OFFICE OF THE PRINCIPAL DEPUTY AUDITOR GENERAL\n                                            TH\n                                      6000 6 STREET, BUILDING 1464\n                                       FORT BELVOIR, VA 22060-5609\n\n\n\n\n    SAAG-ZB                                                                       14 April 2014\n\n\n    MEMORANDUM FOR Mr. Randolph R. Stone, Deputy Inspector General, Policy and\n    Oversight, 4800 Mark Center Drive, Alexandria, VA 22350-1500\n\n    SUBJECT: Official Reply to DODIG Report Implementation of 2011 Generally Accepted\n    Government Auditing Standards Independence Standards at the DOD Audit\n    Organizations, 7 March 2014 (Project No. D2013-DAPOIA-0011.001)\n\n\n    1. The U.S. Army Audit Agency (AAA) has reviewed the subject draft report. We\n    concur with the intent of the recommendation but not fully with the details in the report.\n\n    2. The following paragraphs contain the review objective, conclusion, recommendation\n    and our response:\n\n        a. Objective: To determine whether the DOD audit organizations implemented the\n    December 2011 Generally Accepted Government Auditing Standards (GAGAS)\n    independence standards and whether the standards were being followed.\n\n         b. Conclusion: [As the report relates to non-audit service provided to an audited\n    entity] \xe2\x80\x9c. . .four of the five organizations did not determine and document whether the\n    audited entity\xe2\x80\x99s management designated an individual who possessed suitable skill,\n    knowledge, or experience, and that the individual understood the services to be\n    performed sufficiently to oversee them, as required by GAGAS 3.34. Our review of the\n    project files, to include the issued final memo or report, did not disclose any impairment\n    to independence because of this oversight.\xe2\x80\x9d\n\n        c. Recommendation: We recommend that The Auditor General, Department of\n    the Army ensure their audit organization perform all of the required independence\n    analysis and document the results before accepting a non-audit service.\n\n        d. AAA Response: AAA agrees with the intent of the recommendation as it relates\n    to documenting the results of our independence analysis. However, we don\xe2\x80\x99t agree that\n    that Agency\xe2\x80\x99s auditors were deficient in the independence analysis as required by\n    GAGAS 3.34. When discussing the intent of the standard and our projects with technical\n    assistance at GAO, we concluded that we did meet the intent of GAGAS 3.34, but did\n    not adequately document our analysis. Agency non-audit service engagements, which\n    are small in number, are not overseen by personnel from the audited entity, and for the\n    projects selected by the DoDIG audit team, clients receiving our products did not\n    oversee our work. We considered them functional subject matter experts, and,\n\n\n\n\n                                                                                                   DODIG-2014-089 \xe2\x94\x82 23\n\x0cManagement Comments\n\n\n\n                 The Auditor General, Department of the Army\n                 Comments (cont\xe2\x80\x99d)\n\n\n\n                      SAAG-ZB\n                      SUBJECT: Official Reply to DODIG Report Implementation of 2011 Generally Accepted\n                      Government Auditing Standards Independence Standards at the DOD Audit\n                      Organizations, 7 March 2014 (Project No. D2013-DAPOIA-0011.001)\n\n\n                      therefore, these clients were fully aware of the service they requested and could decide\n                      whether our product met their intent. As subject matter experts, they also had sufficient\n                      knowledge of the area and had the ability to either accept or reject our results. This is\n                      the essence of oversight.\n\n                               Before accepting a non-audit service, we performed a thorough and\n                      comprehensive evaluation to determine if the requested nonaudit services would impair\n                      either the Agency\xe2\x80\x99s or the auditor\xe2\x80\x99s independence for conducting present or future\n                      engagements at the entity that requested such services. This evaluation includes\n                      determining the client\xe2\x80\x99s understanding of the results of our services and our products.\n                      On future engagements we plan to better document our evaluation and the client\xe2\x80\x99s\n                      understanding.\n\n                               In the case of the project in question, management only provided the basic\n                      information needed for us to perform our analysis. They did not oversee the project.\n                      The audit team provided the client with a memorandum of understanding (MOU) that\n                      had a comprehensive description of the services we agreed to provide and how the\n                      results can and cannot be used. The MOU was included in the audit files.\n\n                      3. We want to thank the DODIG audit team for their review. If you have any additional\n                      questions or concerns,\n\n\n                      FOR THE AUDITOR GENERAL:\n\n\n\n\n                                                               JOSEPH P. BENTZ\n                                                               Principal Deputy Auditor General\n\n                      CF:\n                      Program Director, Audit Policy and Coordination, USAAA\n\n\n\n\n                                                                  2\n\n\n\n\n24 \xe2\x94\x82 DODIG-2014-089\n\x0c                                             Management Comments\n\n\n\nDirector, Defense Information Systems Agency Comments\n\n\n\n\n                                                   DODIG-2014-089 \xe2\x94\x82 25\n\x0cManagement Comments\n\n\n\n                 Director, Defense Information Systems Agency\n                 Comments (cont\xe2\x80\x99d)\n\n\n\n\n26 \xe2\x94\x82 DODIG-2014-089\n\x0c                                               Management Comments\n\n\n\nDirector, National Geospatial-Intelligence Agency Comments\n\n\n\n\n                                                     DODIG-2014-089 \xe2\x94\x82 27\n\x0cManagement Comments\n\n\n\n                 Director, National Geospatial-Intelligence Agency\n                 Comments (cont\xe2\x80\x99d)\n\n\n\n\n28 \xe2\x94\x82 DODIG-2014-089\n\x0c                                                    Management Comments\n\n\n\nDirector, National Geospatial-Intelligence Agency\nComments (cont\xe2\x80\x99d)\n\n\n\n\n                                                          DODIG-2014-089 \xe2\x94\x82 29\n\x0cManagement Comments\n\n\n\n                 Director, National Geospatial-Intelligence Agency\n                 Comments (cont\xe2\x80\x99d)\n\n\n\n\n30 \xe2\x94\x82 DODIG-2014-089\n\x0c                                                    Management Comments\n\n\n\nDirector, National Geospatial-Intelligence Agency\nComments (cont\xe2\x80\x99d)\n\n\n\n\n                                                          DODIG-2014-089 \xe2\x94\x82 31\n\x0cManagement Comments\n\n\n\n                 Director, National Geospatial-Intelligence Agency\n                 Comments (cont\xe2\x80\x99d)\n\n\n\n\n32 \xe2\x94\x82 DODIG-2014-089\n\x0c                                                    Management Comments\n\n\n\nDirector, National Geospatial-Intelligence Agency\nComments (cont\xe2\x80\x99d)\n\n\n\n\n                                                          DODIG-2014-089 \xe2\x94\x82 33\n\x0cManagement Comments\n\n\n\n                 Director, National Geospatial-Intelligence Agency\n                 Comments (cont\xe2\x80\x99d)\n\n\n\n\n34 \xe2\x94\x82 DODIG-2014-089\n\x0c                                            Management Comments\n\n\n\nDirector, Missile Defense Agency Comments\n\n\n\n\n                                                  DODIG-2014-089 \xe2\x94\x82 35\n\x0cManagement Comments\n\n\n\n                 Director, Missile Defense Agency Comments (cont\xe2\x80\x99d)\n\n\n\n\n36 \xe2\x94\x82 DODIG-2014-089\n\x0c                                              Management Comments\n\n\n\nCommander, United States Special Operations\nCommand Comments\n\n\n\n\n                                                    DODIG-2014-089 \xe2\x94\x82 37\n\x0cManagement Comments\n\n\n\n                 Director and Chief Executive Officer, Army and Air Force\n                 Exchange Service Comments\n\n\n\n\n                                                    ARMY & AIR FORCE EXCHANGE SERVICE\n                                                               P. O. Box 660202\n                                                             Dallas, TX 75226-0202\n                                                                 (214) 312-2011\n\n\n\n\n                                                                                                 31 March 2014\n\n                      FROM:      Director and Chief Executive Officer, Army & Air Force Exchange Service\n\n                      TO:        Department of Defense Inspector General, Deputy Inspector General for Policy\n                                 and Oversight\n\n                      SUBJECT: Management Response, Implementation of 2011 Generally Accepted\n                               Government Auditing Standards Independence Standards at the DoD Audit\n                               Organizations, Project No. D2013-DAPOIA-0011.001\n\n\n                      1.    We concur with the findings and recommendations. Noted below are our\n                            management responses:\n\n                            a.   Recommendation A.3 Concur. The AAFES Audit Division established internal\n                                 policies and procedures detailing how nonaudit service requests will be\n                                 assessed and documented for potential impairments to independence.\n                                 Completion date was 31 December 2013.\n\n                            b.   Recommendation B.1 Concur. The AAFES Audit Division established internal\n                                 policies and procedures to ensure the audit organization performs all the\n                                 required independence analysis and documents the results before accepting a\n                                 nonaudit service. Completion date was 31 December 2013.\n\n                      2.    Thank you for your team\xe2\x80\x99s assistance in identifying the procedures required and\n                            suggestions for complying with the requirements for providing nonaudit services in\n                            accordance with generally accepted government auditing standards.\n\n\n\n\n                                                                        THOMAS C. SHULL\n                                                                        Director/CEO\n\n\n\n\n38 \xe2\x94\x82 DODIG-2014-089\n\x0c                                         Management Comments\n\n\n\nCommander, Naval Supply Systems Command Comments\n\n\n\n\n                                               DODIG-2014-089 \xe2\x94\x82 39\n\x0cManagement Comments\n\n\n\n                 Commander, Naval Supply Systems Command\n                 Comments (cont\xe2\x80\x99d)\n\n\n\n\n40 \xe2\x94\x82 DODIG-2014-089\n\x0c                                          Management Comments\n\n\n\nCommander, Naval Supply Systems Command\nComments (cont\xe2\x80\x99d)\n\n\n\n\n                                                DODIG-2014-089 \xe2\x94\x82 41\n\x0cManagement Comments\n\n\n\n                 Commander, Naval Supply Systems Command\n                 Comments (cont\xe2\x80\x99d)\n\n\n\n\n42 \xe2\x94\x82 DODIG-2014-089\n\x0c                                                                              Acronyms and Abbreviations\n\n\n\n\nAcronyms and Abbreviations\n          AAA Army Audit Agency\n      AAFES IR Army and Air Force Exchange Service Internal Review\n         AFAA Air Force Audit Agency\n      ARMY IR U.S. Army Internal Review\n        CONUS Continental United States\n           CSA Control Self-Assessment\n         DCAA Defense Contract Audit Agency\n      DCMA IR Defense Contract Management Agency Internal Review\n       DeCA IA Defense Commissary Agency Internal Audit\n       DFAS IR Defense Finance and Accounting Service Internal Review\n       DIA OIG Defense Intelligence Agency Office of Inspector General\n       DISA IR Defense Information Systems Agency Internal Review\n        DLA IR Defense Logistics Agency Internal Review\n      DoD OIG Department of Defense Office of Inspector General\n        GAGAS Generally Accepted Government Auditing Standards\n          GAO Government Accountability Office\n          GPC Government Purchase Card\n            IG Inspector General\n     MCNAFAS Marine Corps Nonappropriated Funds Audit Service\n       MDA IR Missile Defense Agency Internal Review\n          NAS Naval Audit Service\n   NEXCOM IA Naval Exchange Service Command Internal Audit\n  NEXCOM OIA Naval Exchange Service Command Office of Internal Audit\n      NGA OIG National Geospatial-Intelligence Agency Office of Inspector General\n        NGB IR National Guard Bureau Internal Review\n      NRO OIG National Reconnaissance Organization Office of Inspector General\n      NSA OIG National Security Agency Office of Inspector General\n      OCONUS Outside Continental United States\n           OIG Office of Inspector General\n USSOCOM OIG U.S. Special Operations Command Office of Inspector General\n\n\n\n\n                                                                                         DODIG-2014-089 \xe2\x94\x82 43\n\x0c\x0c            Whistleblower Protection\n           U.S. Department of Defense\nThe Whistleblower Protection Enhancement Act of 2012 requires\nthe Inspector General to designate a Whistleblower Protection\nOmbudsman to educate agency employees about prohibitions\non retaliation, and rights and remedies against retaliation for\nprotected disclosures. The designated ombudsman is the DoD Hotline\nDirector. For more information on your rights and remedies against\n     retaliation, visit www.dodig.mil/programs/whistleblower.\n\n\n\n\n   For more information about DoD IG\n  reports or activities, please contact us:\n                      Congressional Liaison\n               congressional@dodig.mil; 703.604.8324\n\n                             Media Contact\n                public.affairs@dodig.mil; 703.604.8324\n\n                        Monthly Update\n                dodigconnect-request@listserve.com\n\n                       Reports Mailing List\n                     dodig_report@listserve.com\n\n                               Twitter\n                         twitter.com/DoD_IG\n\n                           DoD Hotline\n                          dodig.mil/hotline\n\x0cD E PA R T M E N T O F D E F E N S E \xe2\x94\x82 I N S P E C T O R G E N E R A L\n                     4800 Mark Center Drive\n                   Alexandria, VA 22350-1500\n                         www.dodig.mil\n                 Defense Hotline 1.800.424.9098\n\x0c'